User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0a1) Gecko/20110927 Firefox/9.0a1 Build ID: 20110927030845 Steps to reproduce: Firefox 9.0 doesn't properly allow a user to exit a full screen triggered by invoking the full-screen api using "ESC" key, thus enabling spoofing attack. Step to reproduce the bug. 1. goto www.sierramellon.info 2. click full-screen (invoking full-screen api on a div element and navigate to a new page) 3. click submit (invoking full-screen api on a div element again and navigate to a spoofing page) 4. Pressing ESC doesn't help for exiting the BSOD page. The purpose of using mytest.html to transition is to distract user from noticing the animation of menu bar disappearing when entering full-screen. In this case, a user might not notice he/she is already in full-screen and spoofing attack later is possible. Attack created by Nicholai, Sang, and Xiaoran Actual results: Pressing ESC doesn't exit the full-screen page triggered previously by the full-screen api Expected results: Pressing ESC should exit full screen if it was triggered by a full-screen api. See the following test cases. http://pearce.org.nz/full-screen/
I am never taking to full screen mode in Mozilla/5.0 (Windows NT 5.1; rv:9.0a1) Gecko/20110927 Firefox/9.0a1 ID:20110927030845 with a fresh profile. Did you have to change default settings to make this attack work?
Priority: P3 → --
yes, you have to goto about:config and change full-screen api to be enabled
Priority: -- → P3
The priority flag is for use by developers - please do not change Able to confirm on Mozilla/5.0 (Windows NT 5.1; rv:10.0a1) Gecko/20110928 Firefox/10.0a1 ID:20110928030855 STR: Go to about:config and set full-screen-api.enabled to true Visit http://www.sierramellon.info Click on Full Screen Click Submit Hit Esc Expected Results Should exit full screen mode Actual Results ESC does not exit full screen mode - have to move cursor to top of page to get the menu
Status: UNCONFIRMED → NEW
Component: Keyboard Navigation → Security
Ever confirmed: true
OS: Linux → All
Priority: P3 → --
QA Contact: keyboard.navigation → firefox
Hardware: x86_64 → All
Version: 9 Branch → Trunk
Why was this moved to Security? It does not seem to be a security bug to me.
It was my best guess at a component - sorry. It is a spoofing possibility... Should this be filed against the full screen api (don't know where that falls) or back to keyboard navigation?
This should be moved back to Keyboard Navigation unless you have a proof of concept testcase which can prove this is a security issue.
Component: Security → Keyboard Navigation
QA Contact: firefox → keyboard.navigation
Andrei -> Thought you might be interested
Thanks for filing this bug. This exploit relies upon navigation while in full-screen mode. We're going to force-exit full-screen mode when navigation occurs (bug 685402). That will be implemented before this feature is enabled in a release build.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.